Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #12

February 12, 2008

Breaking news: As we go to press on Tuesday afternoon, Google, Microsoft, IBM, Yahoo and Versign report that they have reached an agreement to support the OpenID spec that allows individuals to create one user name, password, and other credentials for logging onto multiple Web sites that support the spec. Could be a nice step forward. More data:http://www.campustechnology.com/articles/58342 Alan

1. SANS Joins with Infosecurity Europe 2008 - London (22nd-24th April) Four ways to take advantage of this joint initiative: SANS leading instructor Arrigo Triulzi will be teaching SEC517: Cutting-edge Hacking Techniques Hands-on, on Tuesday 22nd, a phenomenal one day experience of most important new exploits discovered in the last 18 months. Please register to avoid disappointment at http://www.sans.org/infosec08_london/ . 2. Alan Paller and Mason Brown will keynote on the topic of "Five Keys to Effective Application Security and Secure Coding" on Tuesday 22nd April. Details are available athttp://www.infosec.co.uk/page.cfm/action=Seminars/SeminarID=209 3. The Infosecurity Europe Hall of Fame on Wednesday 23rd. and 4. Pick-up your new threat map and say hello at the SANS Booth A132. http://www.infosec.co.uk/page.cfm/action=Seminars/SeminarID=212.

WAIT 'TIL YOU HEAR WHAT'S NEW IN LAPTOP ENCRYPTION! Outdated encryption methods, such as Full Disk (FDE), require unwelcome compromises to existing IT operations and support processes, and can't provide the level of data security now needed. A new, better encryption technology is here! Reg. for live webcast and to win $500 gift card.http://www.sans.org/info/23953

TOP OF THE NEWS

Experts at SophosLabs scanned all spam messages received in the company's global network of spam traps, and found a dramatic rise in the proportion of the world's spam messages being sent from compromised Russian computers. Russian now accounts for one in twelve junk mails seen in inboxes. Between October-December 2007, the USA relayed far more spam than any other country, because so many US computers have been taken over by remote hackers. -http://www.sophos.com/pressoffice/news/articles/2008/02/dirtydozfeb08.html

Adobe Reader Flaw Actively Exploited (February 10 & 11, 2008)

Attackers have been actively exploiting a recently patched JavaScript vulnerability in Adobe Reader since January 20. Thousands of computers are believed to have been infected as a result. Adobe released an update last week to address a number of vulnerabilities, but did not provide details about the flaws. The exploit spreads the Zonebac Trojan horse program through a maliciously crafted PDF file traced to a server in the Netherlands. Zonebac reportedly disables antivirus programs and alters search results and banner ads. Users are urged to update their versions of Acrobat Reader. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9061938&source=rss_topic17-http://www.theregister.co.uk/2008/02/11/adobe_reader_exploit/print.html-http://www.vnunet.com/vnunet/news/2209318/attacks-target-pdf-flaw[Editor's Note (Skoudis): Here's more proof that enterprises need patching processes and systems that can quickly test and deploy patches for third-party apps and not just for Microsoft products. While you are deploying this Adobe Reader update, double check your Java Runtime Environment, Quicktime, Flash, and other software patch levels. If you are going to touch all of your machines, get all of this stuff up to date, as exploits were released for all of them in the past several months. Whenever we do a penetration test, we almost always get in with a client-side exploit of such third-party software. ]

Thousands of families whose personal information was on the HM Revenue and Customs disks that were lost in the mail have signed up to file claims against the UK government. The families have registered with a company that maintains the government has breached the Data Protection Act (DPA) and that those affected are entitled to compensation of between GBP 50 and GBP 300 (US $98 and US $585). For the claims to move forward, however, HMRC would have to be found guilty of having breached the DPA. The results of an official inquiry into the data loss are expected in June. -http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=513344&in_page_id=1770************************** Sponsored Links: ***************************

1) SANS Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/23958

2) By converging networking and security, StillSecure provides intelligent networks that are easy to manage and protect.http://www.sans.org/info/23963 *************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Spanish Police Arrest 76 for Internet Fraud (February 11, 2008)

Seventy-six people arrested by Spanish police are believed to have stolen more than 3 million Euros in a variety of Internet fraud schemes. Some of the suspects allegedly sold expensive merchandise on auctions sites but never sent the items. Other suspects allegedly used stolen bank account information, probably stolen in a phishing scam, to siphon money into their own accounts. -http://www.theregister.co.uk/2008/02/11/spanish_police_fraud_crackdown/print.html[Guest Editor's Note (Raul Siles): The police operation has been called Ulises and it involved actions in 14 different provinces plus Ceuta. The stolen bank credentials were obtained from phishing scams, impersonating banks and the national tax administration (equivalent to the IRS in the US), and they also used fake auction sites. The amounts stolen range from 400 to 10000 _ per victim, for a total of more than 3 million euros. The suspects are from Spain and other 16 different nationalities, and the victims are from all over the world. The attacks and frauds are not new, but it is good to see effective police operations and the criminals being arrested. ]

Police Officer Charged with Computer Crime (February 6 & 7, 2008)

A 17-year veteran of the Hartford, Connecticut police force has been arrested and charged with committing a computer crime in the third degree, which is a Class D (violent) felony. Sgt. Reginald Allen allegedly obtained information from the National Crime Information Center and provided it to a friend, who used the information to harass an ex-boyfriend's current girlfriend. The girlfriend alerted authorities. -http://www.scmagazineus.com/Conn-police-sergeant-charged-with-computer-crime/PrintArticle/105085/-http://www.courant.com/news/local/hc-ctallenarrest0206.artfeb06,0,1692714.story Editor's Comment (Northcutt): How long have we been preaching that if we create databases with information on citizens that access would be abused? There are two similar stories in this NewsBites and the words ringing in my head are that they did it, "for fun". Take a few minutes to read this analysis from the Cato Institute: -http://www.cato.org/pubs/pas/pa-295.html Totally off topic, but I was looking at PaulDotCom's youtube ad video for his SANS course on hardware hacking, and it hit me; if you can reprogram a wireless router, you can make it do just about anything (duh). Obvious threats are eavesdropping and masquerading as a trustworthy access point. However, you can do that without first modifying an access point. If you think of some really nefarious cyber ninja tricks that you could accomplish only by reprogramming a network device to do your bidding, please drop me a note, stephen@sans.edu, I am considering adding this to the threat section in my course. -http://www.youtube.com/watch?v=uYBUixjnpgo

Irish Government Called on to Improve its Data Security (February 8, 2008)

Ireland's Fine Gael party wants the country's government to implement stronger security controls on its data management. In the last five years, 80 government laptops, 19 Blackberrys and 10 USB memory devices have been lost or stolen. In addition, four government websites have recently been attacked. Officials maintain that no sensitive data were compromised as a result of the missing devices. Internet Storm Center: -http://isc.sans.org/diary.html?storyid=3958

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Apple Issues Mac OS X Update (February 11, 2008)

Apple has released Security Update 2008-001 for Mac OS X to address 10 vulnerabilities in the operating system. The update covers both Tiger and Leopard users; the flaws place unprotected systems at risk of code execution, denial-of-service, and information disclosure. One of the flaws fixed in the update is a stack buffer overflow that was disclosed about a year ago during the Month of Apple Bugs project. Internet Storm Center: -http://isc.sans.org/diary.html?storyid=3974

AV Site Infected with Malware (February 10, 2008)

A web page on the website of Indian antivirus company AVSoft Technologies was "seeded" with malware that exploits the iFrame vulnerability to infect visitors' computers with the Virut virus. And iFrame vulnerability is caused by an unchecked buffer in Internet Explorer processing of certain HTML elements such as FRAME and IFRAME elements. That malware creates a backdoor on the machines it infects, allowing attackers to download more malware onto the computers. -http://www.theregister.co.uk/2008/02/08/indian_av_site_compromise/print.html[Editor's Note (Northcutt): What a bad day for them and to make things worse, if you tried to get to their site 24 hours after the incident from Google, you got the StopBadware.org intercept page from Google. That can't be good for business. -http://isc.sans.org/diary.html?date=2004-11-20]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

The names, addresses, credit card and debit card information of people who made purchases through Major League Soccer's MLSgear.com website were compromised last year. The data were exposed through SQL injection attacks during the first eight months of 2007 on third party servers hosting the customer data. MLS has terminated its relationship with that provider. A breach notification letter mentions that MLS has taken steps to improve security, but did not clarify what those steps were. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=internet_business&articleId=9061858&taxonomyId=71&intsrc=kc_top[Editor's Note (Honan): When you outsource services to a third party you should ensure that you retain the right to audit and test the security of the systems for the outsourced party. ]

A laptop computer holding personally identifiable information of approximately 4,300 current and former employees of Memorial Hospital in South Bend, Indiana was lost last November. The data were on an employee's computer that was lost while she was traveling; the computer was not encrypted. -http://www.wsbt.com/news/local/15408791.html

MISCELLANEOUS

Two Collier County (Florida) Sheriff's Office employees have been fired for accessing the office's computer system and looking up information about other deputies, an FBI agent, and family members. One of the fired individuals said they did the searches "for fun." Both fired employees worked in the Fingerprinting Department. The unauthorized activity was discovered when one of the people whose information was searched alerted the authorities. To prevent future privacy breaches, the Sheriff's Office will conduct random checks of the computer system and audit for unusual activity. -http://www.winknews.com/news/local/15408931.html

What's What in a Breach Notification Letter (February 2008)

Breach notification letters often involve an intricate dance of language. A pair of public relations professionals dissects actual breach notification letters from Monster.com and USAJOBS. They analyze the merits of differing approaches to notification: the choice of salutation; the pros and cons of apologizing; the level of detail offered. Most of the time, it appears that breach notification letters will raise as many if not more questions than they answer. This article is a good resource for those who find themselves burdened with the unfortunate task of drafting such a letter. -http://www2.csoonline.com/exclusives/column.html?CID=33523[Editor's Note (Northcutt): Just when you think there is nothing left to say about data breaches, someone amazes you. Nice job CSO Magazine! ]

Roman Aqueducts Redux

A concise version of the paper on lessons the Roman Aqueducts provide for securing power grids appears in CSO Online. (The original version ran on January 15, NewsBites Volume 10, Number 4.) -http://www2.csoonline.com/exclusives/column.html?CID=33519[Editor's Note (Ranum): The article sounds plausible, but the differences between Rome and its aqueducts and the US and its power grids are simply so vast that all we're left with is an article that amounts to argument by analogy. ]

So you've collected event logs from security devices and other critical systems and stored them away - great. Check the compliance box. Now what?

Logs are important... but only if you are doing something with them.

They provide valuable, credible, accurate information about what is going on in your inter-connected environment. But if your logs are not being analyzed regularly and in real-time, how can you tell if data isn't seeping out of your databases and other critical applications? Manually glancing through logs may be enough to "check the box" for compliance purposes, but it is definitely not enough to detect data theft or other malicious activity.

Still think that locking down root access to operating systems is the cornerstone of security, or that your perimeter can't be tunneled under? Please join John Strand, certified SANS instructor and security consultant with Argotek, for this free webcast.

In this webcast, we'll discuss the reasoning behind a "whitelist" approach, how change monitoring can complement logging and event monitoring in your security program, and common system changes that may indicate malicious activity.

Recently there has been substantial media hype surrounding cyber attacks against critical infrastructure: oil and gas, power and energy, chemical, etc. Few disagree that systems controlling critical infrastructure make valuable targets for a wide range of attackers and pursuits; but the FUD sometimes shadows the facts. So rather than debate the threat level, this webcast will focus on empirical findings derived from multiple, federally funded research projects. These collaborative projects have brought together federal agencies, academia, control system vendors, IT security vendors like ArcSight, and industry representatives to research and test practical cyber incident prevention, detection and response.

The success of a security test is often determined in the planning stage, when the "human element" plays a critical role. This is especially true for penetration testing projects, which sometimes encounter political hurdles before they even begin.

Please join us to learn how, with a little transparency and tact, you can not only get approval for pen testing projects but also help colleagues use the results to improve your overall security. =========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/